The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

"LOS ANGELES - An executive of embattled data broker ChoicePoint Inc. said the company is developing a system that would allow people to review their personal information that is sold to law enforcement agencies, employers, landlords and businesses.

'You will receive the reports that we have on you,' Don McGuffey, the firm's vice president for data acquisition, told the state's Senate's Banking, Finance and Insurance Committee on Wednesday.

ChoicePoint's announcement comes a month after it disclosed that thieves used previously stolen identities to create what appeared to be legitimate businesses seeking personal records. The bandits, who operated undetected for more than a year, opened up 50 accounts and received vast amounts of data on consumers, including their credit reports..."

The only thing I have to add is that they had better make sure that people are who they say they are before handing over records ....

"TOKYO -- Starting April 1, businesses throughout Japan, including foreign companies, must comply with legislation that sets out new rules for handling personal data.

The Personal Information Protection Law, effective April 1, applies to any company with offices in Japan that holds personal data on 5000 or more individuals, according to Kazuhito Masui, an attorney at Shiba International Law Offices, a major international law firm based in Tokyo.

Personal data as defined by the law includes a person's name, address, date of birth, sex, home and mobile phone numbers, and also a person's e-mail address if that address is recognizably the person's name. The 5000 minimum includes company employees, Masui said in an interview last week...."

Employees expect their privacy to be protected. Sometimes a tribunal will side with the employee. Sometimes it will side with the employer. The easiest thing to do is assume that there is a right to privacy, adopt the reasonableness standards adopted by the pro-privacy adjudicators and privacy commissioners, and fight it out only if you need to.

It appears a bit coincidental that I posted this morning that organizations should encrypt data to prevent privacy breaches (PIPEDA and Canadian Privacy Law: Managing privacy risks using basic technology) and I've just discovered the Calgary Herald is reporting that encrypted mainframe tapes containing health records of "hunreds of thousands" of Albertans have gone missing. I hope this is a "non-incident", but in any event the Information and Privacy Commissioner of Alberta is on the case:

"Confidential health records of 'hundreds of thousands' of Albertans disappeared or were tampered with while in the hands of a courier earlier this month, prompting an investigation by the province's Information and Privacy Commissioner.

Details were scarce, but government sources told the legislature bureau on Tuesday that Privacy Commissioner Frank Work has been called in to investigate after data -- digitized, encrypted, and stored on large reel-to-reel tapes -- went missing or was otherwise tampered with while in transit between two government facilities.

It appears the tapes were backups, mainly for archival purposes. The information is considered confidential and could include medical records, prescriptions and billing history.

Sources would not confirm if the tapes were recovered or the police were investigating.

The sources said Health and Wellness Minister Iris Evans was assured by an expert with IBM Canada that a mainframe computer system and the proper encryption code would be needed to read the data.

Nonetheless, there is some concern that organized criminal gangs could have the ability to crack the code and use the highly private information...."

Thanks to Cryptome for linking to a very interesting whitepaper produced by Diebold, one of the leading makers of banking machines. Entitled ATM Fraud and Security, the whitepaper provides an overview of the state of the art in ATM Fraud, including skimming, shoulder surfing, overlays, and PIN interception. Scary stuff, but good to know about.

One thing that is painfully obvious is that too few organizations are encrypting their data. Encryption is easy and you have probably already paid for the function (if you run Windows XP). If any of the organizations involved in the following incidents had encrypted their data, they likely would have avoided much of the damage chronicled below:

200405 - Incident: Computer System at U.C. San Diego Hacked: " Hackers broke into the computer system of the University of California, San Diego, compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants. "

200409 - Incident: Hacker taps into CSUH Server: "HAYWARD -- A computer hacker somehow gained access to the records of about 2,000 Cal State Hayward students earlier this month, prompting campus officials to send out letters warning students that their personal information may have been compromised. "

200410 - UC Berkeley reports massive security/privacy breach: "'The FBI is investigating the penetration of a university research system that housed sensitive personal data on a staggering 1.4 million Californians who participated in a state social program, officials said Tuesday. "

200410 - Dutch prosecutor leaves crime files on dumped PC: "'Dutch public prosecutor Joost Tonino was condemned yesterday for putting his old PC out with the trash. It contained sensitive information about criminal investigations in Amsterdam, and also his email address, credit card number, social security number and personal tax files."

Computers, even servers, are highly portable and very easily stolen. Encryption of data on the hard drive (or backup tape) is the last line of defence. It is amazing to see that too few organizations do it. To state what should be obvious: encrypt your data.

It sounds a lot like the system being rolled out in Nova Scotia, which has encountered some privacy-related turbulence. Physicians, who are responsible for patient information under PIPEDA are not keen to trust the government with this information. The provincial government, on the other hand, isn't subject to PIPEDA and doesn't really see it as its problem. It is the province's problem if it wants a provincial electronic medical record....

According to the CBC - Charlottetown, Karen Rose has resigned as the island's Information and Privacy Commissioner: CBC Prince Edward Island - Privacy commissioner resigns. I saw her speak a few times and she was always impressive. No news or speculation on who her replacement will be.

Tuesday, March 29, 2005

I teach Internet and Media Law at Dalhousie Law School. Last night we had a guest speaker, Lisa Taylor, a CBC journalist and law school grad. One of the topics discussed was publication bans and how they are inadvertently compromised when different media outlets choose to disclose limited -- but different -- information. This got me thinking about other ways of piecing together information.

While emptying the loads of junk from my pockets at the end of the day, I glanced at the pile of papers I had accumulated in the previous twenty four hours. I was happy to see that all of the stores I had visited had blocked out digits of my card numbers, presumably to protect their customers. When I took a closer look, I noticed that they are completely inconsistent in how they do it. Some leave only the first four and last four digits. Some omit the last digits. So if you took my little pile of papers, you could completely recreate my debit card number. Hm... Perhaps we need a little consistency in how we protect identities. If I had emptied my pockets into the garbage, anybody trolling through my trash for personal information would be able to get the card numbers. And expiry dates for credit cards. Perhaps the debit terminal manufacturers and distributors could get together and figure this out.

"... The distinction is part of an effort by the Department of Homeland Security and one of its RFID suppliers, Philips Semiconductors, to brand RFID tags in identification documents as 'proximity chips,' 'contactless chips' or 'contactless integrated circuits' -- anything but 'RFID.' ..."

Yet another university to add to the incident file. Someone walked off with a University of California Berkeley laptop containing personal information related to almost 100K students, alumni, applicants, etc. Thanks to the California privacy law, the University is required to inform each affected individual.

"A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

University officials waited until Monday to announce the March 11 crime, hoping that police would be able to catch the thief and reclaim the computer. When that didn't happen, the school publicized the theft to comply with a state law requiring consumers be notified whenever their Social Security numbers or other sensitive information have been breached...."

"Tucked away in the rodeo-ridden town of Cheyenne, Wyo., is a small, seven-person company that is quietly blurring the conventional boundaries between public and private life. Founded by India-born Jay Patel, Abika.com is a self-proclaimed "worldwide leader in people information, verifications and profiling" in the emerging field of person-to-person search technology. The firm utilizes proprietary person-based data query/extraction systems (akin to old-fashioned intelligence gathering) in addition to online algorithmic searches to deliver "All Best Information Known Accurately."

The company has its roots in the most precarious of human endeavors -- dating (coincidentally, Abika was also the name of the man responsible for compiling the ancient knowledge found in the Kamasutra). In a recent interview with The Times of India, Patel described meeting an intriguing woman at a local Sam's Club and thereafter rushing home to his computer to dredge up every piece of her personal history he could find on the Internet. On the next date he surprised her with intimate details of her life and, fortunately for Patel, wasn't immediately branded as a stalker. Three weeks later, they were married.

...

Abika's overwhelming success -- the company processed more than three million personal information requests just last year -- combined with its relative ease of use has slowly attracted the attention of both domestic and foreign privacy watchdogs. The Electronic Privacy Information Center in Washington, for example, has warned of the perils of unregulated data mining, lax enforcement of the Fair Credit Reporting Act (a federal law enacted to prevent improper disclosure of personal financial history) and the overarching potential for identity theft.

...

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has expressed similar concerns, particularly over the inaccuracies of Abika's psychological profiling methods and their potential for unfair discrimination and commercial abuse, and has filed complaints against Abika with the privacy commissioner of Canada and the U.S. Federal Trade Commission. To date, however, neither EPIC nor CIPPIC has made any progress toward curtailing this nascent industry.

Critics of these privacy groups note that most of the information in question is technically "public," albeit fragmented, and hence companies like Abika cannot be faulted for the mere acts of aggregation and inference. In an increasingly connected world, the rise of Abika and its brethren seem almost inevitable -- natural by-products of globalization and the growing culture of communication. Early warnings by parents and grade-school teachers ("don't say or do anything you might later regret") come to mind, with substantially more bite.

A potential error in this line of reasoning, however, lies in equating "public" with "equally publicly accessible." As EPIC has often noted, much of the information gleaned by data-mining companies comes from the expensive purchase of consumer records from other companies, an endeavor far from the reach of the average citizen. Accordingly, an immediate institutional and monetary bias in access is realized, forging an intrinsic difference in the meaning of "publicly accessible" for the individual and "publicly accessible" for the corporation, the latter being more comprehensive and inclusive.

As a result, individuals are inherently disadvantaged not only in knowing what information is known about them but also, importantly, who knows such information and whether it is indeed correct. This becomes acutely germane when faulty conclusions are drawn upon incorrect information (say, when a firm rejects a job applicant based upon erroneous data concerning past criminal/social history) or when extrapolated statistical conclusions are used to predict future behaviors (say, when law enforcement personnel, who are becoming quite fond of Abika's services, are identifying suspects)...."

Sunday, March 27, 2005

"ID theft: Not 'if,' but 'when'Computer breaches spur calls for new laws

Many people learned a lesson the hard way recently: Big Brother barely has his eyes open when it comes to the data brokers that gather personal information on millions of Americans.

Which means, security and consumer experts warn, that unless states and Congress institute tough laws, all the paper-shredding in the world will not protect an increasing number of people from falling victim to identity theft...."

Saturday, March 26, 2005

According to an investigation by the Department of Homeland Security, and reported on by Yahoo news (Report: TSA Misled Public on Personal Data), the Transportation Security Administration misled the public about its role in getting passenger information from airlines while testing its passenger profiling software.

Friday, March 25, 2005

Once again, a university computer system containing personal information has been compromised by hackers. There is no confirmation that sensitive personal information has been compromised, but Purdue University officials are notifying students and employees that their information may have been disclosed:

"WEST LAFAYETTE, Ind. -- Purdue University officials have sent letters to more than 1,200 employees, students, graduates and business affiliates, alerting them that their personal information might have been illegally obtained through computers on campus.

Officials discovered Jan. 27 that someone hacked into the computers in the College of Liberal Arts' Theatre Division.

The hacking probably started in November when someone used special software to access the theater computers and two other campus systems, school officials said.
'While this information was vulnerable, we cannot say with certainty whether it actually was accessed,' Joseph Bennett, vice president for university relations, said Thursday. 'We take this very seriously because files on these computers contained information that could be used to commit identity theft.'"

Another one for the incident file (Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law). The Kellog School of Management is reporting that their computer systems have been hacked. All that is suspected to have been lost are userids and passwords, but other personal information may have been compromised. From WBBM 780:

A security breach has been detected in the computer server system at Northwestern University's Kellogg School of Management.

...

Thus far, no one at Kellogg has reported any unauthorized use of their information.

When the server problem was discovered on March 20, the affected systems were immediately taken off-line and rebuilt. On Wednesday, Kellogg Information Systems determined that Kellogg user IDs and passwords, which provide access to various information sources on the Northwestern system, were potentially obtained by the hackers.

While the university said it has no evidence that personal identification was accessed, Northwestern has taken the precautionary measure of disabling all passwords and user IDs for Kellogg School faculty and staff (approximately 500) and students (approximately 3,000) affected. Kellogg Information Systems is also working to create new passwords for approximately 18,000 of the school's alumni whose passwords were also potentially obtained.

An investigation is ongoing and it appears that the servers were not targeted to obtain personal information.
Stay tuned to WBBM Newsradio 780 for the latest developments "

Getting personal information by "phishing" isn't new, but I've only recently received my first phising e-mail. It actually is a bit funny since whoever wrote it is pretty stupid. It's also a bit scary because I'm sure it has snagged more than a few folks. Here's the message, with some of my favorite bits highlighted:

We recently reviewed your account, and we suspect an unauthorized ATM based transaction on your account. Therefore as a preventive measure we have temporary limited your access to sensitive Bank of Oklahoma features.

To ensure that your account is not compromised please login to Bank of Oklahoma Internet Banking and Investing by clicking this link, verify your identify and your online accounts will be reactivated by our system.

To get started, please click the link below:

[link removed]

Important information from Bank of Oklahoma.

This e-mail contains information directly related to your account with us, other services to witch you have subscribed, and/or any application you may have submitted.
Bank of Oklahoma and its service providers are committed to protecting your privacy and ask you to send sensitive account information through e-mail.

If your bank demonstrates its "commitment to protecting your privacy" by asking you to send sensitive account information via e-mail, you are being scammed or you are with the wrong bank.

While looking into this particular scam, I happened upon the Anti-phishing Workgoup, which has more info on the Bank of Oklahoma e-mail and many, many more.

Infosecurity Europe did a little research on the streets of London, showing that most people will trade away sensitive personal information for a chance to win something. I'd like to see some followup research to find out how people actually felt about giving up that information. I bet more than a few felt a little squeamish, but gave it up anyway:

"... The first question researchers asked was, "What is your name?", which seems reasonable enough if someone is potentially going to send you some vouchers, 100% of those surveyed gave their names. They were then asked a series of questions about their views on the theatre in London. People were then asked if they knew how actors came up with their stage name. They were then told it was a combination of their pets name and mothers maiden name and were asked what they thought their stage name would be. Ninety four percent (94%) of respondees then went on to give their mothers maiden name and pet's name. To obtain the address and post code, researchers asked for their address details in order to post them the vouchers if they won, 98% gave their address and post code. To find out the name of their first school the question was asked, "Did you get involved in acting in plays at school?" and then "What was the name of your first school?". Ninety six percent (96%) gave the name of their first school, this answer along with mother's maiden name are key pieces of identity information used by banks.

In order to find out date of birth researchers said that in order to prove they had carried out the survey they needed their date of birth, 92% gave their date of birth and 92% also gave their home phone number in case there was a problem delivering the vouchers. At the end of a 3 minute survey, the researchers were armed with sufficient information to open bank accounts, credit cards, or even to start stealing their victim's identity. The researchers did not give any verification of their identity, their only tool was a clipboard and the offer of the chance to win a voucher for theatre tickets...."

Their techniques were sneaky and misleading, but someone trying to steal identities will be sneaky and misleading.

The Office of the Comptroller of the Currency, Board of Governors of the Federal Reservem, the Federal Deposit Insurance Corporation, Office of Thrift Supervision, yesterday released a guidance document under the Gramm-Leach-Bliley Act requiring banks to notify customers of security breaches involving their sensitive personal information:

The final Guidance states that every financial institution should develop and implement a response program designed to address incidents of unauthorized access to customer information maintained by the institution or its service provider. The final Guidance provides each financial institution with greater flexibility to design a risk-based response program tailored to the size, complexity and nature of its operations. The final Guidance continues to highlight customer notice as a key feature of an institution’s response program. However, in response to the comments received, the final Guidance modifies the standard describing when notice should be given and provides for a delay at the request of law enforcement. It also modifies which customers should be given notice, what a notice should contain, and how it should be delivered. A more detailed discussion of the final Guidance and the manner..."

Thursday, March 24, 2005

The Register ran a story yesterday (that I would have otherwise missed - Thanks, PrivacySpot) about the litany of privacy stories that have appeared in the spotlight this March. The title is "ID theft is inescapable", but the story also has other lessons...

ID-theft and privacy are real issues for consumers. The media now much more likely to run with the stories. Though I have no hard facts to back this up, I do not think this March madness is a symptom of increased hacking and criminality. Rather, it is a reflection of how ordinary consumers are concerned, how the media report on the issue and how legislators are stepping in to address this concern. Much of this activity would have been unreported had it not been for the California law that requires notification for security lapses. But that law was a response to consumer fears.

The lesson is that how organizations manage and protect consumer information is under the spotlight and bright light is pretty unforgiving. I have seen, first hand, that a growing group of consumers are making decisions based on how companies respect their privacy. You can call them "privacy concerned." A large portion can be called neutral, and they'll walk if a company doesn't respect their privacy. This is now a simple reality for companies that deal with personal information.

"March 2005 might make history as the apex of identity theft disclosures. Privacy invasion outfit ChoicePoint, payroll handler PayMaxx, Bank of America, Lexis Nexis, several universities, and a large shoe retailer called DSW all lost control of sensitive data concerning millions of people.

Credit card and other banking details, names, addresses, phone numbers, Social Security numbers, and dates of birth have fallen into the hands of potential identity thieves. The news could not be worse...."

"As data broker ChoicePoint wrestles with the fallout from the sale of personal data to identity thieves and an investigation into two executives' sale of company stock, it faces questions on another front: its background-checking services.

Several lawsuits and consumer complaints in the last few years have accused ChoicePoint of providing inaccurate and out-of-date information in its criminal background reports, resulting in unfair job losses for applicants...."

"WASHINGTON (AP) -- ChoicePoint Inc., which sells consumer data and recently acknowledged a major security breach, raised its top executive's 2004 bonus to $1.8 million from $1.5 million a year before, according to a regulatory filing Wednesday...."

And execs are being investigated for stock sales before the privacy incident was made public:

"MAR. 4 8:13 A.M. ET Data collector ChoicePoint Inc. announced the Securities and Exchange Commission is investigating stock sales by its top two executives. The company also said it will also stop selling personal information about consumers to small businesses...."

Tuesday, March 22, 2005

Here's an interesting comment on The Information Security News blog from Clearwater Associates on using RSS instead of mailing lists to reduce your privacy risks. In short, if you don't have a mailing list that can be compromised, you effectively reduce the risk of having your mailing list compromised. And it gives complete control to your readers. Check it out here:

"Offering web site content updates via an RSS feed rather than by opt-in email can reduce the risk of privacy exposures. Because subscribing to an RSS feed is a 'pull' technology, it avoids the collection of personal information (email address, name, etc.) that would normally get collected in order to maintain a subscription to a site update alert, newsletter or digest..."

Press release: "U.S. Senator Ron Wyden (D-Ore.) today announced the introduction of legislation to prohibit a variety of surreptitious practices that result in spyware, adware and other unwanted software being placed on consumers’ computers. The bipartisan SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act, introduced with Senator Conrad Burns (R-Mont.), would prohibit the installation of software on a computer without the owner’s notice and consent. The legislation also requires reasonable “uninstall” procedures for all downloadable software. Spyware, adware and other hidden programs often secretly piggyback on downloaded Internet software without the user’s knowledge, transmitting information about computer usage and generating pop-up advertisements. Frequently such software is designed to be virtually impossible to uninstall."

"...The practice of typing your name into an Internet search engine and seeing what pops up is now common, but the results can be unpredictable. The Internet holds surprising amounts of personal information between its ever-expanding corners, and some of it may be outdated, inaccurate or embarrassing.

ZoomInfo's computers have compiled individual Web profiles of 25 million people, summarizing what the Web publicly says about each person. The service, launched Monday, allows Web surfers to search for their profile, then change it for free...."

It looks like it scrapes the internet for information about people and compiles it into one handy-dandy place. I put in my name and was surprised about what it had to say about me. Thankfully, most of it was positive, but it was also a bit scary. I put my wife's name and it knew all about her too, based on media interview she had done at the beginning of the year. It says you can control what is in it, but I doubt too many people will use that feature. I also wonder how they authenticate people. Can they tell the two hundred David Frasers apart?

Monday, March 21, 2005

I've been invited to be on Squeeze Play on Report on Business TV this afternoon. They are looking for a discussion on PIPEDA's first full year of implementation, commentary on the most recent privacy fiascoes in the United States and where we are headed in Canada. I'll be on ROBTv this afternoon around 5:15 (EST), or you can catch it on their internet archive available at http://www.robtv.com/shows/past_archive.tv?day=mon. I think ROBTV's on basic cable from coast to coast.

".... Recently, feeling curious about whether she needed more tests several years after a benign biopsy for breast cancer, she reread her detailed biopsy report online and felt reassured.

'It was very comforting,' said Perlman, a 51-year-old former CEO who lives in Menlo Park and now consults for high-tech companies. 'I feel like I've been able to be much more proactive with things like figuring out for myself what's the right schedule for a physical.'

Perlman's online ventures in medical care are just the beginning. Not far in the future, your entire medical record could be online, available to your doctors, the local emergency room, even the Lake Tahoe hospital that treats you when you break your leg skiing.

The idea is to move those bulging paper patient charts into the digital age, creating a record that travels with you rather than gathering dust in your doctor's office or a hospital's storage warehouse.

Rusty Weston and Keith Dawson, in Optimize Magazine (a part of the TechWeb Business Technology Network), scrutnize online privacy statements of a number of companies to look at how transaparent they really are. The article focuses on whether the companies disclose offshore processing of customer information, but the article is a usefull lesson on how to be transparent to gain customer trust.

"If you read a few dozen corporate privacy policies, you may be excused for believing that the same guy who drafts the fine print in rental-car contracts wrote these while moonlighting. There is some truth to that notion: It's easy to find boilerplate privacy forms on the BBB OnLine site. These policies generally are so vague--and cookie-cutter in style--it appears that they exist to give attorneys wiggle room if the disclosure is ever challenged in court.

The premise of our review of privacy statements by companies engaged in outsourcing of various kinds (they don't in all cases offshore customer data to third parties) is to determine how these firms handle the concept of customer disclosure. What policy language is the state of the art? Which statements need a serious policy review?...."

"Diany Castillo, a 54-year-old home health care aide who lives in Brooklyn, says she is grateful that the fragmented bits of her past - her moves from one state to another, her marriages and her name changes - can be found in the vast commercial databases that contain personal information on tens of millions of Americans.

Last October, a private investigator in Los Angeles used those digital bread crumbs to track down Ms. Castillo and send her a letter. Her estranged daughter, Diani Ramos, adrift for nearly a decade on the streets of southern California, was looking for her, the letter said.

The two were reunited in November.

In the heated debate over privacy rights and the sale of personal information by the data-mining industry, the story of Ms. Castillo and Ms. Ramos may represent a contrarian's view. "

Sunday, March 20, 2005

The Alberta Information and Privacy Commissioner's office is raising the alert about security and privacy issues related to newer photocopiers and fax machines. Their hard-drives may store information without the user's knowledge:

"CALGARY (CP) - In the realm of high-tech dangers, few would consider the lowly fax machine or photocopier a security risk.

That would be naive, says Tim Chander, research manager of Alberta's Office of Information and Privacy.

'It's not your grandfather's printer anymore - these things are computers with hard drives that can be connected to the Internet,' said Chander.

'Anything you're photocopying (is) copied and stored on the hard drives unless they are overwritten.'

Chander said most businesses, government offices and health authorities lease their office equipment without considering the security ramifications.

'We haven't had a complaint come to our office. We just want organizations to be aware that anyone photocopying personal, business or health information to realize that when your lease is up, your information is going out the door,' he said...."

EYES ON THE ROAD: Spring Garden Road Area Business Association manager Bernard Smith says the group has offered to subsidize outdoor night-vision surveillance cameras for merchants, to scan the streets for trouble, after a series of downtown swarmings. (Photo: DARRELL OAKE)

A series of swarming-style robberies in downtown Halifax over the last two weeks — the latest early yesterday — has convinced businesses in the area to ask for more police feet in the street and eyes in the sky.
The Spring Garden Road Area Business Association is quietly telling downtown businesses it will subsidize exterior night vision surveillance cameras set up to scan the street for potential trouble.

The association is also asking for the return of beat cops to Spring Garden Road...."

So far, I haven't heard of a privacy backlash, but I expect there may be one forthcoming.

Saturday, March 19, 2005

InternetCases is running a summary of a recent Maine decision in which the Court ordered cable provider Time Warner to disclose the identity of an individual who allegedly impersonated the plaintiff in the case, sending an offensive cartoon. The US legislation requires that the cable company give the John Doe notice of the request; in this case, the unnamed individual was represented at the hearing:

"In the case of Fitch v. Doe, the Supreme Court of Maine has held that while the Cable Communications Policy Act of 1984 generally prohibits a cable operator's disclosure of subscriber information, an exception provided in the Act allows disclosure to nongovernmental entities pursuant to court order, so long as the subscriber has received notification thereof.

On Christmas Eve 2003, an anonymous person sent an email under Plaintiff Fitch's name with a derogatory cartoon attached. Fitch filed suit in Maine state court against the unknown sender of the email (John or Jane Doe). Fitch then sought an order directing Time Warner (the ISP of the account from which the message was sent) to disclose Doe's identity. Doe's counsel objected to the disclosure, arguing that the disclosure was forbidden by the Cable Communications Policy Act of 1984, 47 U.S.C.A. s 551 (the 'Act'), and that Doe did not consent to allow Time Warner to disclose his identity. The trial court ordered disclosure, finding that Doe's agreement with Time Warner provided such consent.

Doe appealed to the Maine Supreme Court, but the lower court's decision to order disclosure was affirmed. Although the court concluded that the lower court erred in determining Doe had consented to disclosure, such disclosure was authorized under an exception found in the Act...."

"After the terrorist attacks of Sept. 11, 2001, governments began looking for solutions to identification problems that had plagued them for decades. The United Kingdom and the United States suggested introducing national identification cards and driver's licences respectively with 'smart card' radio frequency identification (RFID) technologies. Canada has also considered the idea...."

"NEW YORK - LexisNexis, which last week said intruders had accessed dossiers on about 32,000 people in one of its database products, has restricted access to individuals' Social Security (news - web sites) and drivers license numbers...."

Friday, March 18, 2005

The BC union that kicked off the Canadian debate over privacy, outsourcing and the USA Patriot Act has taken their arguments to court, according to ITBusiness. The article doesn't really say what the legal basis of their attempt to derail the government's ousourcing plans are, particularly after the government amended the public sector privacy law:

"The British Columbia Government and Service Employees' Union on Wednesday ended the third and final day of a Supreme Court case to block the outsourcing of its Medical Services Plan database management to a U.S. firm.

Union lawyers told the court that privatization of the Medical Services Plan (MSP) would violate the Canada Health Act and potentially jeopardize the privacy of patient data. The province has already signed a $324-million with Reston, Virginia-based Maximus Inc., which will deliver its services through two new Canadian subsidiaries, Maximus BC Health Inc. and Maximus BC Health Benefit Operations Inc. The BCGEU has asked for an injunction that would prevent the partnership from moving ahead until the broader issues in the case can be resolved. The Supreme Court had not made a decision at press time...."

The editorial staff of the Harvard Crimson have produced an opinion piece related to the AOL Instant Messenger privacy fuss. Though the focus is on jargon-laden EULAs (end-user license agreements), privacy notices have may of the same characteristics:

"You've Got Jargon: AOL’s two main weapons are fear, confusion, and a fanatical devotion to legalese

By THE CRIMSON STAFF

We do it without a moment’s thought. We click the box and accept the “terms” without pause. What are the actual terms? No one really knows—and, more often than not, no one really cares. But perhaps we should pay more attention to the content of these curious provisos—these End-User License Agreements (EULAs) that accompany most any piece of software. If the new changes to the terms of service of one of America Online (AOL) Inc.’s most popular applications are any indication, it’s easy to pull a fast one on unassuming customers without any real accountability. In their current, indecipherable form, however, it’s safe to assume that people will continue to “agree” to these terms without thinking. It is essential that EULAs be more up-front and comprehensible; they should be written in “plain English” to avoid any underhanded policies that might require signing away one’s soul—inadvertently.

The changes in question affect something very dear to almost any Harvard student, and increasingly almost any person who owns a personal computer, cell phone, or other trendy technological device that allows for epistolary e-interaction. And it stirs paranoia in anyone who generally enjoys the world of impersonal, anti-social online banter. That is, it affects the users of the ubiquitous AOL Instant Messenger (AIM).

AOL’s new terms, affecting anyone who downloaded AIM after Feb. 4, 2004 as well as anyone planning to update the program in the future, explain that, “by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium. You waive any right to privacy.” Frightening words, indeed....."

Privacy protection in the United States has often been criticized, but critics have too infrequently suggested specific proposals for reform. Recently, there has been significant legislative interest at both the federal and state levels in addressing the privacy of personal information. This was sparked when ChoicePoint, one of the largest data brokers in the United States with records on almost every adult American citizen, sold data on about 145,000 people to fraudulent businesses set up by identity thieves.

In the aftermath of the ChoicePoint debacle, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as Choicepoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We welcome input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We invite criticisms and constructive suggestions, and we will update this Model Regime to incorporate the comments we find most helpful and illuminating. We also aim to discuss some of the comments we receive in a commentary section. To the extent to which we incorporate suggestions and commentary, and if those making suggestions want to be identified, we will graciously acknowledge those assisting in our endeavor.

Business Access to and Use of Personal Information
8. Social Security Number Use Limitation
9. Access and Use Restrictions for Public Records
10. Curbing Excessive Uses of Background Checks
11. Private Investigators

Government Access to and Use of Personal Data
12. Limiting Government Access to Business and Financial Records
13. Government Data Mining
14. Control of Government Maintenance of Personal Information

Privacy Innovation and Enforcement
15. Preserving the Innovative Role of the States
16. Effective Enforcement of Privacy Rights "

"Officials at CSU Chico are notifying thousands of current, former and prospective students, faculty and staff that a computer hacker accessed their names and Social Security numbers.

The letters detailing the personal information breach are going out now. The university's computer monitoring system caught some unauthorized software on the network in early February and determined that someone had broken into a computer server at the university's housing and food service center last July. The hacker had installed software to store files on the server. The individual also attempted to break into other computers.

In the eight months since the breach, university officials said it doesn't appear the hacker actually accessed personal data. 'Even though we didn't find proof that the data had been compromised, because the person had access to the system we wanted to send out the notification as a precaution,' said CSUC Information Security Officer Brooke Banks...."

After meeting with top executives last night, Sen. Charles Schumer (NY) announced today that Westlaw would be taking major steps to close large loopholes in its data search systems which previously allowed access to millions of Social Security numbers and other personal information. Peter Warwick, the head of Westlaw, thanked Sen. Schumer for raising important questions about privacy, and he has directed his company to take decisive action to close the privacy loopholes Schumer highlighted in letters and conversations. Westlaw undertook a complete review of its systems and made significant changes in its dealings with its clients.

Schumer said, “The steps that Westlaw has taken to close privacy loopholes and protect consumers from identity theft are a model for the rest of the data broker industry. This is a victory for consumers and big loss for criminals who want to steal your Social Security number and your identity. Identity theft costs consumers and businesses an estimated $5 billion per year and I’m happy that we’re making progress reduce that financial burden on American families.”

85% of those who had access to Social Security numbers on Westlaw’s database do not anymore.

No corporate clients have access to Social Security numbers anymore.

Eliminated government clients’ access for full Soc. Sec. numbers, including the U.S. Senate, and are working to restrict access to non-law enforcement personnel at other government agencies.

Will not sign new contracts that would allow full access to Soc. Sec. numbers.

Individuals who still have access will be screened by Westlaw, and are working towards individualized password access for those who have been screened.

Westlaw also expressed its support for Schumer’s efforts to enact legislation addressing ID theft, including the distribution and sale of Social Security numbers except to law enforcement; support regulation of data brokering."

College representatives said Thursday that the school was the target of a virus attack on a computer housed in a campus calling center used by students to solicit donations from alumni. According to Boston College spokesman Jack Dunn, the machine in question is managed by a third-party IT service, which the school has chosen not to publicly identify.

Dunn said the company noticed a spike in the computer's activity during a routine maintenance operation and discovered a virus on the device that was attempting to use the database to launch attacks on other systems. The machine was then taken offline and examined in order to determine the extent of the attack.

No other computers were found to be affected by the virus, he said...."

Wednesday, March 16, 2005

A little while ago, I blogged about the accidental e-mailing of a list of HIV positive residents of Palm Beach County in Florida (see PIPEDA and Canadian Privacy Law: E-mail gaffe reveals HIV, AIDS names). Now, a number of HIV patients in the same county have received anonymous letters indicating their names had appeared on a list of HIV/AIDS patients in the county. County officials say the incidents are unrelated, but the coincidence is puzzling:

WEST PALM BEACH — Three law enforcement agencies have launched a criminal investigation to find out who is sending letters threatening the privacy of the 4,500 AIDS patients and 2,000 people who are HIV-positive in Palm Beach County.

One of the recipients of a letter postmarked March 8 told The Palm Beach Post Tuesday, "I'm very upset about this. I've been HIV-positive for a long time and, thankfully, I'm OK, but I'm looking for a job. Who is going to hire me if someone reveals my HIV status? This is a terrible thing."

He gave his name and phone number but asked that he not be identified in print because of the stigma associated with AIDS.

The otherwise innocuous letter with no return address that he and others received at their homes last week said, "Your name appeared on a list of HIV/AIDS patients for Palm Beach County."

A list of patients was inadvertently e-mailed last month to 800 Palm Beach County Health Department employees, but health officials do not believe the recent mailing used the same list because it did not include addresses.

"This is a separate incident, and I regard this as terrorism," department Director Dr. Jean Malecki said Tuesday. She confirmed that she turned two of the letters over to law enforcement investigators Tuesday and asked for a criminal investigation...."

"How much data on how many Americans are they dealing with?' Sen. Richard C. Shelby, the Alabama Republican, asked the head of the Federal Trade Commission last Thursday, during a hearing on identity theft and the data broker industry.

The F.T.C.'s chairwoman, Deborah Platt Majoras, explained that the industry's scope was difficult to gauge. But individual data brokers 'can have billions of pieces of data regarding consumers,' she said.

I am also informed that it will be available the the world at large via webcast. Go to Conference Webcast Information for info on how to hook up via Real Player and how to post questions for the panelists via the public forum.

Dennis Bailey in the Open Society Paradox raises a very interesting question about the root causes of identity theft. In his view, it is not the fault of the organization that leaks personal information to identity thieves. Rather, he says, it is the credit grantors who provide credit facilities to the impostors.

"ChoicePoint is being crucified for not having done due diligence to verify the identity of the individuals who stole data. Why aren't financial institutions being held to the same standard when it is their giving of accounts to identity thieves which is at the core of the problem. Don't they also have a responsibility to verify the identity of their customers? Fix that part of the equation with improved identification and biometrics and ChoicePoint's data becomes a non-issue. Can't anyone see the waterfall for the river that Congress is heading down? If I've said it once, I've said it a million times, you can't lock down data in the information age. You can only prevent its misuse."

Dennis Bailey in the Open Society Paradox raises a very interesting question about the root causes of identity theft. In his view, it is not the fault of the organization that leaks personal information to identity thieves. Rather, he says, it is the credit grantors who provide credit facilities to the impostors.

"ChoicePoint is being crucified for not having done due diligence to verify the identity of the individuals who stole data. Why aren't financial institutions being held to the same standard when it is their giving of accounts to identity thieves which is at the core of the problem. Don't they also have a responsibility to verify the identity of their customers? Fix that part of the equation with improved identification and biometrics and ChoicePoint's data becomes a non-issue. Can't anyone see the waterfall for the river that Congress is heading down? If I've said it once, I've said it a million times, you can't lock down data in the information age. You can only prevent its misuse."

The CEO of ChoicePoint was scheduled to appear last week, but the committee ran out of time. Well, he appeared today and, according to MSNBC, he was put on the hot seat by the members of the committee:

The first summary finding of 2005 has been released by the Canadian Privacy Commissioner. In it, the Commissioner concludes that the complainant's employer did not violate PIPEDA by seeking medical information about the employee who occupies a "safety sensitive" position. The complainant also alleged that the employer collected information directly from his/her physician without consent, a complaint that was well-founded.

"...An employee of a transportation company made two allegations against his employer: (1) that his employer was requiring him to provide more medical information than necessary and would not allow him to return to his position until he supplied the information; and (2) that the company obtained medical information about him from his doctor without his consent...."

I am informed by a colleague who made an inquiry of the Office of the Privacy Commissioner that finding summaries are going to be published less frequently than in the past. This is unfortunate. Desipte their serious shortcomings, these findings provide the only insight into the Commissoner's thought process and also make good case studies to teach companies how to deal with PIPEDA.

Monday, March 14, 2005

CNET News is reporting that AOL is planning to redraft its "inartfully drafted" privacy statement to clarify that they do not require users to waive their rights to privacy. Or, depending upon whom you believe, to back off from their original plan to have users waive their rights to privacy.

"America Online said late Monday that it plans to revise its user agreement in response to concerns that instant messages sent through the company's service could be monitored.

The new policy for AOL Instant Messenger, or AIM, will stress that the company does not eavesdrop on customer's conversations except in unusual circumstances such as a court order, an AOL spokesman said..."

I bet there's a room full of lawyers busily redrafting the policy while I write this.

As a more than casual observer of privacy incidents and damage control, it will be interesting to see what the blogsphere will have to say about this. Many, I am sure, will be waiting for the final re-draft before cutting AOL any slack. My next prediction: The mainstream media will pick up on the original story for tomorrow's papers. To AOL's distress, I predict that many will not cover the proposed re-draft, resulting in more adverse publicity and greater damage control efforts.

Fellow Canadian blogger and technology lawyer, Rob Hyndman, is quoted in eWeek discussing the AOL Terms of Service that have caused such a stir recently. I have to say that I agree with his observations about how easy it is to draft something heavily in favour of your client which may not be entirely appropriate given the circumstances. Read his contributions here:

"....Rob Hyndman, a technology lawyer based in Ontario, pointed out that the terms of service covers the entire AIM product and does not explicitly exclude instant messaging.

'I think the AOLs of the world don't take the impact their TOS [terms of service] have on users seriously enough, generally because they have market power and the customer doesn't,' Hyndman told eWEEK.com, arguing that the AIM terms of service appears all-encompassing."

AOL's
TOS Change Sparks PR CrisisWebProNews, KY - 21 hours ago
The
blogosphere is buzzing this morning over a major privacy change to AOL Instant
Messenger's ... The change is sparking outrage because of this quote... ...

AIM's
New Terms Of ServiceSlashdot - Mar 11, 2005
acaben writes "AOL has
posted new terms of service for AIM, that include the right for AOL to use
anything and everything you send through AIM in any way they ...

AOL kills AIM
privacyp2pnet.net, Canada - 12 hours ago
p2pnet.net News:- You no
longer have any right to privacy if you use America Online's AIM software
downloaded on or after February 5 last year. ...

"America Online spokesman Andrew Weinstein responded to a request for more information about AOL Instant Messenger's terms of service, which I wrote about Saturday after spotting it on Slashdot.

The terms would appear to indicate that anything generated using AIM is fair game for AOL to use, which would mean private IM communications are not so private.

But Weinstein said that's not the case.

The clause in question specifically refers to something an AIM user might post in a public forum, Weinstein says. He writes:

The related section of the Terms of Service is called "Content You Post" and, as such, logically and legally it relates only to content a user posts in a public area of the service.

If a user posts content in a public area of the service, like a chat room, message board, or other public forum, that information may be used by AOL for other purposes. One example of this might be a user who posts a "Rate a Buddy" photo and thus allows AIM to post it for other AIM users to vote on it. Another might be AOL taking an excerpt from a message board posting on a current news issue and highlighting it in a different area of the service.

....

Update: Looks like Weinstein spent his Sunday afternoon hittin' the phones & e-mail, trying to put out this fire. His comments have shown up in several other places, including Steve Rubel's MicroPersuasion blog. Note that a Rubel reader responds there, and remains dubious:

Andrew I'm glad you posted here but what you are saying makes no sense. By using AIM it is implied I agree to the TOS. The TOS specifically state:
1) I waive my rights to privacy.
2) AOL can make money off of the content.

"NELIGH, Neb. - Practices which helped neighbors stay connected in this community of 1,200 and others like it across the country are largely gone - partly because of the nation's new medical privacy laws under the Health Insurance and Portability and Accountability Act.

It used to be easy for Hope Weaver to comfort friends when they were in the hospital. If she didn't hear that someone needed a visit by word-of-mouth, she'd simply pick up the newspaper, tune in her radio or look at the patient list posted in the hospital's front lobby. 'You like to send people a card or keep in touch with them,' the 79-year-old resident notes...."

If the communities are so keen on broadcasting the names of those in hospital, why don't they just ask everyone, upon admission, if they want their information spread "the old fashioned way"?

I've started following The Open Society Paradox, a blog by Dennis Bailey, which offers an alternative to much of the debate on privacy that one sees around the 'net. In one of his latest postings, Dennis discusses an article in Vanity Fair profiling Hank Asher and the very controvertial MATRIX system. MATRIX stands for "Multi-State Anti-Terrorism Information Exchange" designed to mine vast databases to pick out potential terrorists.

Saturday, March 12, 2005

It pays to read the fine print. AOL's Instant Messenger software (AIM) is one of the more popoular IM platforms. Privacy Digest just pointed a reference to AIM's new Terms of Service, which purport to give AOL a blanket right to do whatever they want with users' private messages and require the user to waive all rights to privacy with respect to those messages.

"...Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy. You waive any right to inspect or approve uses of the Content or to be compensated for any such uses...."

This is exactly the sort of thing that will backfire on a company. It was posted to Slashdot early yesterday (Slashdot | AIM's New Terms Of Service) and it is getting pretty wide coverage. The above terms will make people think that AOL is a proxy for "big brother" or that it is heavy handed or both. I don't think it'll be long before it gets to the conventional media (it's already referred to in the Houston Chronicle Techblog: HoustonChronicle.com - N0 privacy 4 u, LOL!!!!!), which will threaten AOL's proposed move into VOIP services. "If they eavesdrop on my instant messages, can I trust them with my phone calls?."

"'Spamalot' fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. 'Movin' Out' devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y...."

I'm not sure if this qualifies as an incident as the article only refers to the glitch's potential to expose addresses. I suppose the site maintainer would be able to look at their logs to find out if the page with all the names was ever viewed.

So many privacy incidents are caused by simple human error, whcih I expect is the cause of this one. I'm on the board of an industry association that recenly allowed the local economic development agency to send an e-mail to its members announcing a very specific event. Unfortunately, someone thought that using a "distribution list" in Outlook would shield all the addresses. Not quite. Every single address was in the "To:" field. So far nobody has complained, but I expect we'll hear more of it. One minor misunderstanding of the technology and it had the potential to upset quite a few people.

Thanks to Rob Hyndman for reminding me about the article. I saw it very early this morning but forgot to bookmark it for later blogging.

According to CNet News, Microsoft has just moved to a shortened privacy statement on all the MSN sites. These provide a high-level overview of the information collected from a specific site and allow you to click for more detail. The window below contains the general MSN Summary Privacy Statement:

"... A standard notice contains six sections covering the scope, information collected, use of the information, consumer choices and company contact information. It also includes a section for important notices to the consumer.

While their appearance is much simpler, the notices are difficult to write in plain language, McDade said.

'It was a very hard challenge to summarize (our practices) into a short snapshot and to write it in such a way that people thought it was a fair representation,' she said.

Microsoft has not yet implemented the shorter form on its main Web site. "

I usually recommend that my clients use privacy notices that are as reader-friendly as possible. One of the key elements is to make sure the reader does not have to wade through a bunch of stuff to get their questions answered. Once you figure out what most customers who read the notices want to know, put it in a summary at the beginning or somehow highlight those sections in the text. Customers read privacy notices because they are suspicious or have a question. You want to answer the question and alleviate their suspicions. Notices like those implemented by MSN look like they'll do a good job at communicating their policies and practices.

Thieves made off with a computer from a Nevada DMV office that contained sensitive personal information of 8,900 individuals who had applied for drivers' licenses between November 25 and March 4. The DMV originally said that the drives were encrypted (which would render the information inaccessible to the thieves), but this was not the case. From the Las Vegas Sun:

"NORTH LAS VEGAS, Nev. (AP) - Personal information from more than 8,900 people was stolen when thieves broke into a Nevada Department of Motor Vehicles office, officials said Friday.

A computer taken during the break-in contained names, ages, dates of birth, Social Security numbers, photographs and signatures of southern Nevada residents who obtained driver's licenses between Nov. 25 and March 4 at the North Las Vegas office, state DMV chief Ginny Lewis said...."

Friday, March 11, 2005

Doctors Nova Scotia (formerly the Medical Society of Nova Scotia) this week asked me to write a brief article for their website and magazine about what physicians should do if the security of patient information is compromised. The question arises most often in the form of "what if my computer [or PDA] is stolen?"

I was happy to help since DoctorsNS has been extremely proactive in helping its members to address PIPEDA. In fact, it was for DoctorsNS that I originally wrote the Physician's Privacy Manual (e-mail me - david.fraser at mcinnescooper.com - if you are interested in purchasing a copy).

Q. With the new privacy law now in force, what measures do physicians have to take to prevent the theft of computers and the like containing confidential patient information and what should physicians do if something like this were to happen?

A. Since January 1, 2004, the collection, use and disclosure of personal information by private practice physicians in Nova Scotia has been regulated by the Personal Information Protection and Electronic Documents Act, commonly know by its acronym “PIPEDA”. The law covers all aspects of physicians’ responsibilities with respect to patient information and specifically includes an obligation to safeguard personal information against a wide range of risks. Among those risks are loss, theft and inappropriate access. The law does not dictate what specific technological or security measures must employ but it does provide say that the safeguards must be proportional to the sensitivity of the information in question. Because medical records are among the most sensitive, a physician’s responsibilities in this area are proportionately high.

While PIPEDA is a new law, it does not replace the obligations that physicians have always had to exercise due care to protect their patients from harm caused by the physician’s actions or omissions. The inappropriate disclosure of personal information can undoubtedly cause harm, particularly in this age of identify theft. In addition, individuals entrust their physicians with very sensitive information that may have significant consequences if it is disclosed to others. For example, a patient’s record may contain information about a particular condition that, if disclosed to the individual’s employer, could result in the individual being fired. The inappropriate disclosure of information about a battered spouse may have severe safety repercussions for that patient.

These rules apply to all patient information, regardless of whether it is written on paper or stored in a computer. Use of electronic systems pose additional risks, simply because large amounts of information may be stored in an easily stolen form. Also, external hackers might access an under-protected system, leaving very little sign that the information has been compromised. Physicians should take all reasonable measures to protect this information against the sorts of threats that may exist, depending upon the circumstances. Locks on doors, virus scanners and computer firewalls immediately come to mind. The encryption of electronic data may also be the last line of defence, meaning that data stored on a stolen hard drive still cannot be accessed by a thief who does not have the password.

So what should a physician do if he or she believes that patient information may have been compromised? PIPEDA does not specifically say, unlike Ontario’s new Personal Health Information Protection Act which requires all health information custodians to inform an individual at the first reasonable opportunity if that individual’s personal information is stolen, lost, or accessed by unauthorized persons. While physicians likely should contact all affected patients to inform them of a breach or possible breach, whether they are under a legal obligation to do so is unclear. Because the unauthorized access to personal information may put individual patients at risk, the only way that this risk may be mitigated is to inform the patients so that steps can be taken to minimize the harm. The following checklist may be helpful to assist with a physician who believes that patient information may have been lost, stolen or inappropriately accessed:

If the incident relates to a theft or malicious intrusion attempt, the police should be notified as soon as possible.

The College of Physicians and Surgeons should be notified.

Your liability insurer and/or the Canadian Medical Protective Association should be notified.

Immediate steps should be taken to prevent the recurrence of the loss; for example, computer servers should be immediately disconnected from potential avenues for intrusion, such as external networks and modems; locks should be changed on the doors if the incident relates to a physical break-in.

Carefully consider whether patients should be contacted to allow them to mitigate the effects of the incident.

Physicians should not attempt to cover up or gloss over any of these incidents, as such actions tend to compound the problem and undermine patient confidence in physicians generally.

If you have any concerns about the way that personal information is safeguarded in your practice, Doctors Nova Scotia is able to help by referring you to information and specialists that can help minimize the risk to the security of your patient information.

I note that this article is not legal advice and only pertains to provinces where private practice physicians are governed solely by the Personal Information Protection and Electronic Documents Act (NS, NL, PE, NB and not BC, AB, SK, MB, QC, ON).

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.